Self-Hosting Walkthrough

Create a Supabase project (hosted or self-hosted). Mailpipe's schema lives as ordered SQL files in supabase/migrations/. They create the core tables — organizations, domains, mailboxes, messages, API keys, usage tracking — and the Row Level Security policies that isolate every tenant.

The simplest path is the Supabase CLI. Link your project, then push the migrations:

# Authenticate and link the CLI to your project
supabase login
supabase link --project-ref your-project-ref

# Apply every migration in supabase/migrations/ in order
supabase db push

No CLI? Run the SQL directly

You can apply the same migrations against any Postgres instance with psql. They are timestamp-prefixed, so applying them in filename order reproduces the schema exactly.

for f in supabase/migrations/*.sql; do
  psql "$DATABASE_URL" -f "$f"
done

Copy the example file and fill in your own values. Everything Mailpipe reads at runtime is documented in .env.example.

cp .env.example .env.local

Required keys

• NEXT_PUBLIC_SUPABASE_URLYour project URL, e.g. https://your-project-id.supabase.co. Public.
• NEXT_PUBLIC_SUPABASE_ANON_KEYThe anon/public key used by the browser client. Public.
• SUPABASE_SERVICE_ROLE_KEYBypasses Row Level Security. Server-side only — never expose to the browser.
• RESEND_API_KEYUsed to send outbound mail and to read received messages. Starts with re_.
• ENCRYPTION_KEYAES-256-GCM key (32 raw bytes, base64) that encrypts provider API keys at rest.
• FORWARDING_HMAC_SECRETSigns reply+TOKEN local-parts for per-member forwarding. At least 16 bytes of entropy.

Optional keys

• NEXT_PUBLIC_APP_URLBase URL for auth redirects. Defaults to http://localhost:3000 in development.
• FORWARD_EMAILBootstrap mode — forwards every inbound message to this address while you set things up.
• MAILPIPE_FORWARDER_DOMAINOverride the forwarder host. Defaults to mailpipe.dev — set this to your own relay domain.

Generate the secrets

ENCRYPTION_KEY must decode to exactly 32 bytes — the app validates this at startup and throws otherwise. Generate it and the forwarding secret the same way:

# 32-byte base64 secret — use for ENCRYPTION_KEY and FORWARDING_HMAC_SECRET
node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"

Configure DNS in Resend

Add your domain in the Resend dashboard and create the records it gives you. You need an MX record so inbound mail reaches Resend, plus SPF and DKIM so your outbound mail authenticates:

# Inbound — route incoming mail to Resend
Type: MX     Host: @     Priority: 10     Value: <resend-inbound-host>

# SPF — authorize Resend to send for your domain
Type: TXT    Host: @     Value: v=spf1 include:resend.net ~all

# DKIM — Resend gives you the exact record when you add the domain
Type: TXT    Host: resend._domainkey    Value: <dkim-key-from-resend>

Use the exact host and key values Resend shows for your domain — the snippet above is the shape, not a copy-paste secret. DNS can take up to 48 hours to propagate.

Send inbound email to your deployment

In the Resend dashboard, configure the inbound webhook to POST received messages to your deployment. Mailpipe ingests them at an org-scoped route:

https://your-deployment.example.com/api/v1/inbound/<orgId>

<orgId> is the UUID of the organization row the mail should land in. There is also a more specific /api/v1/inbound/<orgId>/<domainId> variant if you want to scope a webhook to a single domain. The handler parses the payload, finds or creates the target mailbox, stores the message, and (if configured) forwards a copy.

For production, build the optimized bundle and run the Next.js server:

npm run build
npm run start

Provide the same environment variables from step 3 to your host. Mailpipe runs anywhere that can host a Next.js app — Vercel, a container, or a Node process behind your own reverse proxy. Set NEXT_PUBLIC_APP_URL to your public URL so auth redirects resolve correctly.